>>On Tue, 2002-02-12 at 05:35, TCG CSIRT wrote: >> Has anyone seen evidence of a worm? >no, but then we have not had any compromises. I have seen no random probing >that is favoured by most worms. I do believe that there are worms out there >that exploit BIND problems, I regularly see random probes on udp 53. I left one of our machines open, it got comprimised and was running vuln checks and attempts on addresses specified in a txt file. A lot of binaries were replaced except for `find`. From this I could work my way through the cleanup process and see everything was going on.. Not surprizing there was a backdoor shell through which the silent intruder started the daemons to scan/attack other addresses. I'm sure it's easy enough for them to simply automate this process and bam, you got a worm. PS: Our log counters are sitting at just over 4000 since 1 Feb. regards, EJ CiTEC.NET ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Feb 12 2002 - 09:04:13 PST